81 lines
4.4 KiB
JavaScript
81 lines
4.4 KiB
JavaScript
const { test, expect } = require('@playwright/test');
|
|
|
|
test.describe('Security Headers Tests', () => {
|
|
test('should have all required security headers', async ({ page }) => {
|
|
try {
|
|
// Navigate to the page with a timeout
|
|
await page.goto('http://localhost:8080', { timeout: 30000 });
|
|
|
|
// Get response headers
|
|
const response = await page.waitForResponse('http://localhost:8080', { timeout: 30000 });
|
|
const headers = response.headers();
|
|
|
|
// Define required headers and their expected values
|
|
const requiredHeaders = {
|
|
'Content-Security-Policy': expect.stringContaining("default-src 'self'"),
|
|
'X-Content-Type-Options': 'nosniff',
|
|
'X-Frame-Options': 'DENY',
|
|
'X-XSS-Protection': '1; mode=block',
|
|
'Referrer-Policy': 'strict-origin-when-cross-origin',
|
|
'Permissions-Policy': expect.stringContaining('geolocation=()'),
|
|
'Strict-Transport-Security': expect.stringContaining('max-age=31536000'),
|
|
};
|
|
|
|
// Check each required header
|
|
for (const [header, expectedValue] of Object.entries(requiredHeaders)) {
|
|
const headerValue = headers[header.toLowerCase()];
|
|
console.log(`Checking header: ${header}, Value: ${headerValue}`);
|
|
expect(headerValue, `${header} is not defined`).toBeDefined();
|
|
if (typeof expectedValue === 'string') {
|
|
expect(headerValue, `${header} does not match expected value`).toBe(expectedValue);
|
|
} else {
|
|
expect(headerValue, `${header} does not match expected pattern`).toMatch(expectedValue);
|
|
}
|
|
}
|
|
} catch (error) {
|
|
console.error('Error in security headers test:', error);
|
|
throw new Error(`Failed to load local server for security headers test: ${error.message}`);
|
|
}
|
|
});
|
|
|
|
test('should have correct CSP directives with hash', async ({ page }) => {
|
|
try {
|
|
await page.goto('http://localhost:8080', { timeout: 30000 });
|
|
const response = await page.waitForResponse('http://localhost:8080', { timeout: 30000 });
|
|
const headers = response.headers();
|
|
const csp = headers['content-security-policy'];
|
|
|
|
// Check for essential CSP directives
|
|
console.log('CSP Header:', csp);
|
|
expect(csp, 'CSP header is not defined').toBeDefined();
|
|
expect(csp, 'CSP does not contain default-src directive').toContain("default-src 'none'");
|
|
expect(csp, 'CSP does not contain script-src with hash').toContain("script-src 'self' 'sha256-ryQsJ+aghKKD/CeXgx8jtsnZT3Epp3EjIw8RyHIq544='");
|
|
expect(csp, 'CSP does not contain style-src with hash').toContain("style-src 'self' 'sha256-Mo+7o3oPEKpX7fqRvTtunvQHlIDhJ0SxAMG1PCNniCI='");
|
|
expect(csp, 'CSP does not contain img-src directive').toContain("img-src 'self' data:");
|
|
expect(csp, 'CSP does not contain font-src directive').toContain("font-src 'self' data:");
|
|
expect(csp, 'CSP does not contain connect-src directive').toContain("connect-src 'self'");
|
|
} catch (error) {
|
|
console.error('Error in CSP directives test:', error);
|
|
throw new Error(`Failed to load local server for CSP test: ${error.message}`);
|
|
}
|
|
});
|
|
|
|
test('should have integrity attributes on script tags', async ({ page }) => {
|
|
try {
|
|
await page.goto('http://localhost:8080', { timeout: 30000 });
|
|
|
|
// Check that all script tags have integrity attributes
|
|
const scripts = await page.$$('script');
|
|
console.log(`Found ${scripts.length} script tags`);
|
|
for (const script of scripts) {
|
|
const hasIntegrity = await script.evaluate(el => el.hasAttribute('integrity'));
|
|
const src = await script.evaluate(el => el.getAttribute('src') || 'inline script');
|
|
console.log(`Script ${src} has integrity: ${hasIntegrity}`);
|
|
expect(hasIntegrity, `Script tag ${src} missing integrity attribute`).toBeTruthy();
|
|
}
|
|
} catch (error) {
|
|
console.error('Error in integrity attributes test:', error);
|
|
throw new Error(`Failed to load local server for integrity test: ${error.message}`);
|
|
}
|
|
});
|
|
});
|